Network Security Illustrated pdf

(1)

(2)

(3)

Network

Security

Illustrated

Jason Albanese

Wes Sonnenreich

McGraw-Hill

New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi

(4)

Copyright © 2004 by Jason Albanese and Wes Sonnenreich. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a data-base or retrieval system, without the prior written permission of the publisher.

0-07-143355-4

The material in this eBook also appears in the print version of this title: 0-07-141504-1

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales pro-motions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at [email protected] or (212) 904-4069.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUAR-ANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMA-TION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the func-tions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inac-curacy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of lia-bility shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

(5)

Want to learn more?

We hope you enjoy this McGraw-Hill eBook! If you d like

more information about this book, its author, or related books

(6)

Dedication

I would like to dedicate this book to my incredible wife Emily, who provided me with the strength and courage to complete this project and to the memory of my grand-father, Irving Monchik, whose spirit and intellect inspires me each and every day.

Jason Albanese

I dedicate this book to my parents, who might actually have been right once or twice, well… maybe just once. Their attention, devotion and unending love have made them the best parents one could hope for, despite Mom’s paranoia about whether I’ve eaten enough or Dad’s endless supply of really bad jokes (like the one about the koala and the prostitute).

Wes Sonnenreich

(7)

(8)

Introduction

xvii

Acknowledgments

xxi

PART 1 Managing Security 1

Summary 1

Key Points 1

Connecting the Chapters 1

Introduction to Managing Security 2

Security and Business Processes 2

The Harsh Truth 4

The Security Philosophy 6

The Security Policy 8

Final Thoughts 11

1 Managing Security: The Security Assessment

13

Technology Overview 13

How the Security Assessment Works 14

Best Practices 18

Final Thoughts 18

2 Managing Security: Systems and Network Monitoring

19

How Systems and Network Monitoring Work 20

Security Considerations 21

Making the Connection 22

Best Practices 23

Final Thoughts 24

00_200423_FM_Sonnenreich 9/3/03 1:17 PM Page v

For more information about this title, click here.

(9)

PART 2 Outsourcing Options

27

Summary 27

Key Points 27

Introduction to Reserving Rights 28

The Illusion of Outsourcing 28

Outsourcing and Data Security 29

Outsourcing Business Technology 31

Outsourcing Business Services 34

Outsourcing Security Services 36

Final Thoughts 37

3 Outsourcing Options: Outsourcing Network Monitoring

39

Overview 39

How Outsourced Monitoring Works 40

Best Practices 44

Final Thoughts 45

4 Outsourcing Options: Outsourcing Disaster Prevention

47

Overview 47

Preventing Machine Failure 47

Preventing Network Failure 48

Preventing Data Loss 49

Preventing Software Failure 50

Preventing People Failure 52

Preventing Repeat Disasters 52

Final Thoughts 53

5 Outsourcing Options: Outsourcing Proactive Security 55

Overview 55

Policy 56

Auditing 57

Defensive Forensics 58

Protection 59

Vulnerabilities 59

Penetration Testing 61

Final Thoughts 62

PART 3 Reserving Rights

63

Summary 63

Key Points 63

Introduction to Reserving Rights 64

vi Contents

(10)

Protecting Your Digital Rights 64

The Other Side of the Coin 67

Putting It All Together 68

Why Today’s Intellectual Property Laws Are Confusing 69

Final Thoughts 77

6 Reserving Rights: Digital Rights Management

79

How Digital Rights Management Works 81

Best Practices 84

Final Thoughts 86

7 Reserving Rights: Copy Protection

87

How Copy Protection Works 88

Best Practices 92

Final Thoughts 93

PART 4 Determining Identity

95

Summary 95

Key Points 95

Introduction to Determining Identity 96

Your Digital Identity in General 97

Digital Identity: The Secure Way 100

How Many Factors? 101

Final Thoughts 103

8 Determining Identity: Passwords

105

Technology Overview 105

How Passwords Work 107

Security Considerations 108

Making the Connection 110

Best Practices 111

9 Determining Identity: Digital Certificates

115

How Digital Certificates Work 117

Contents vii

(11)

10 Determining Identity: Portable Identifiers

123

How Portable Identifiers Work 124

11 Determining Identity: Biometrics

129

How Biometrics Work 131

PART 5 Preserving Privacy

139

Summary 139

Key Points 139

Connecting the Chapters 139

Introduction to Preserving Privacy 140

What Is Privacy? 140

How to Achieve Privacy 141

Protecting Digital Privacy 143

Protecting the Digital Privacy of Others 145

12 Preserving Privacy: Anonymity

147

How a Mix Works 149

Making The Connection 152

13 Preserving Privacy: User Tracking

155

How Cookies and Spyware Work 157

viii Contents

(12)

14 Preserving Privacy: Spam Management

163

How Spam Management Works 165

PART 6 Connecting Networks

169

Summary 169

Key Points 169

Introduction to Connecting Networks 170

One Computer, Two Computer, Red Computer 170

Specialized Networks Need Specialized Hardware 171

Networks: Power and Peril 173

Connecting Correctly 174

15 Connecting Networks: Networking Hardware

179

How Routers Work 185

16 Connecting Networks: Wireless Connections 189

How Radio Works 190

How Spread Spectrum Works 193

17 Connecting Networks: Network Lingo 199

Contents ix

(13)

PART 7 Hardening Networks

209

Summary 209

Key Points 209

Introduction to Hardening Networks 210

Ideal Versus Reality: The Need for Hardening 211

There’s No Point in Closing the Barn Door After

the Horse Has Left 211

Out with the Bad, in with the Good 212

More Harm than Good? 213

18 Hardening Networks: Firewalls

215

How Packet Filters Work 222

19 Hardening Networks: Network Address Translation

229

How NAT Works 232

20 Hardening Networks: Virtual Private Networks

237

How VPNs Work 238

IPSec Protocols 240

21 Hardening Networks: Traffic Shaping

245

How Traffic Shaping Works 246

x Contents

(14)

PART 8 Storing Information

253

Summary 253

Key Points 253

Introduction to Storing Information 254

Don’t Leave Me Unprotected 254

Storage Caveats 255

Storing Securely 256

Summary 257

22 Storing Information: Storage Media

259

How Storage Media Works 260

23 Storing Information: Local File Systems

263

How File Systems Work 264

24 Storing Information: Network File Systems

271

How NFS and SMB Work 272

25 Storing Information: Databases

277

How Databases Work 278

PART 9 Hiding Information

285

Summary 285

Key Points 285

Contents xi

(15)

Introduction to Hiding Information 286

How Things Can Be Hidden 287

How Hidden Things Are Found 289

26 Hiding Information: Cryptography

291

Asymmetrical (Public Key) Cryptography 294

How Cryptography Works 295

27 Hiding Information: Cryptanalysis

301

How Cryptanalysis Works 302

28 Hiding Information: Steganography

305

How Steganography Works 306

PART 10 Accessing Information

313

Summary 313

Key Points 313

Introduction to Accessing Information 314

The Burden of Choice 314

Textual vs. Visual Access: UNIX and Windows 316

Access Bold As Love 317

29 Accessing Information: Client-Server Architecture

319

How Client/Server Applications Work 323

xii Contents

(16)

30 Accessing Information: Internet Services

327

The Web 327

Email 329

FTP and TFTP 333

News 334

31 Accessing Information: Remote Access

337

How Remote Access Protocols Work 340

32 Accessing Information: Peer-to-Peer Networking

345

How P2P Works 347

PART 11 Ensuring Availability

353

Summary 353

Key Points 353

Introduction to Ensuring Availability 354

Putting Off the Inevitable 354

The Anatomy of Redundancy 355

Size Matters 356

Contents xiii

(17)

33 Ensuring Availability: RAID

359

How RAID Works 360

34 Ensuring Availability: Clustering

365

How Clustering Works 366

35 Ensuring Availability: Backup Systems

371

How Backup Works 372

PART 12 Detecting Intrusions

377

Summary 377

Key Points 377

Introduction to Detecting Intrusions 378

Intrusion Detection Is an Art and a Science 378

What’s a Hacker? 379

Needless Complexity 380

The Vicious Cycle 380

36 Detecting Intrusions: File Integrity

383

How File Integrity Works 384

xiv Contents

(18)

37 Detecting Intrusions: Viruses and Trojans

389

How Antivirus Software Works 392

38 Detecting Intrusions: Network Scanners

395

How Network Scanners Work 397

39 Detecting Intrusions: Network Sniffers

399

How Sniffers Work 400

40 Detecting Intrusions: Logging and Analysis

405

How Logs Work 406

Index

411

Contents xv

(19)

(20)

Introduction

This book is both a reference guide and something that can be read end-to-end. It has been designed to provide decision makers with essential knowledge about infor-mation security concepts and technologies. After reading this book, will you be able to run out and implement a specific solution based on instructions contained within these pages? No. Will you know where any one technology fits within the framework of securing your business? Definitely. Will you feel comfortable discussing the tech-nology in a business capacity? Absolutely.

Here is some advice to help you take full advantage of the experience:

Use the Website: Designed as a companion to the book, the website has loads of additional information. The structure of the site mirrors that of the book. There are additional chapters posted on the site that did not make it into the book. For each chapter, in the book and on the site, you’ll find links to additional resources in-cluding security articles, whitepapers and websites. You’ll also find corrections and clarifications. Finally, topic specific forums allow readers and community members to discuss security concepts, best practices and issues in an intuitive, organized manner. See http://www.sagesecure.com/nsi.

Use the Map: The book and the map are designed to be symbiotic. When used together, the reader can gain powerful insight about security technologies in a rela-tively short period of time. The map contains a large number of icons that have been strategically placed within a simulated business environment. All of the icons refer to technologies covered in the book. Corresponding chapters within the book are labeled with these icons. For example, on the fold out map, a tank icon is used to rep-resent a virtual private network. The tank is located on the title page for the chapter on virtual private networks, and in the upper right margin of subsequent pages. This makes it easy to reference information about concepts on the map by just flipping through the book and looking for the appropriate icon.

Make the Connections: Many topics covered in this book have strong connec-tions with one another. While reading a chapter, be sure to check out the "Making the Connection" section. The references provided will lead directly to concepts that sur-round the current chapter and give you tremendous insight to related technologies.

Read the Rest of this Introduction: We know; you want to jump right in and get your security-groove on. Resist the temptation for a few more minutes and finish

00_200423_FM_Sonnenreich 9/3/03 1:17 PM Page xvii

(21)

up the introduction. We promise not to let it drag on and on (we ramble often enough later on in the book). You will get a lot more out of the book by understanding how content is organized and why we bothered to write this book in the first place.

Drop us a line: We may not be able to answer every question, but we’ll try. Frequent questions and their answers will get posted to the website, so check there first. Our address: [email protected].

How This Book is Organized

Security concepts are organized based on business needs, as opposed to tech-nological similarity. We’ve tried to focus on how these concepts relate in terms of practical business functionality. For example, network monitoring is discussed in Part 1, "Managing Security" rather than in a section on intrusion detection. For people with a technical background, this method of organization may seem strange. But one of our goals is to change the way people think about security. As we’ll say many times throughout the book, security is not a technological issue; it’s a business issue.

As an end-to-end experience, we’ve organized the chapters into parts based on a managerial view of security. We can best explain our view with an analogy to build-ing and securbuild-ing a house:

• A house sits on a parcel of land. Securing the land is the first and most critical step to securing the house. An alarm system won’t help if the house is demolished by a natural disaster, or if it’s located in such a bad

neighborhood that the police barely take the time to respond! These are examples of management level issues, and they are dealt with in the first few chapters of the book.

• The foundation of the house represents the network design. A network built with security in mind makes every other aspect of security much easier. A poorly built network can collapse on itself, and is very hard to secure after-the-fact. The house itself represents the information that moves around the network. That’s why the bulk of the book deals with information security. • The security systems on the house are the finishing touches. Alarm systems,

automatic lights, and insurance all contribute in the event that everything else falls apart. This is equivalent to ensuring availability and intrusion detection, found at the end of the book.

If it were possible to talk about information security in a straightforward man-ner, there’d be no need for the map in the back of this book. Actually, there’d be lit-tle need for the book, since linear concepts are often easy to understand. Alas, information security is a like a bowl of pasta. Twirl one strand and next thing you know you’ve got half the bowl wrapped around your fork. You can’t talk about one se-curity topic without talking about three or four others… and talking about those means talking about three or four more… you get the picture.

Challenging as it was, we tried to make each chapter stand on its own without relying on the knowledge found in other chapters. As a result, a technology or

con-xviii Introduction

(22)

cept is not mentioned in passing unless it has been previously given a clear explana-tion. That said, understanding the surrounding concepts always helps, which is why each chapter contains a section that links to related chapters ("Making the Connections"). In a similar vein, each part also starts with a "Connecting the Chapters" section that shows how the part’s chapters interrelate.

How the Chapters are Organized

Each part of the book has a title that describes a business-level need. Examples of part titles are “Managing Security,” “Accessing Information,” and “Storing Information.” The chapters within each part discuss technology concepts related to the business need.

Every part begins with a quick reference page. On the page is a “Summary” that describes the business need and how security fits into the picture. The page also highlights some “Key Points” made throughout the part’s introduction and shows how the part’s chapters interrelate (“Connecting the Chapters”). After the reference page, the introduction explores general security issues faced when servicing the business need.

Within the chapters, we’ve tried to organize things consistently. The following six sections can be found in almost every chapter, in this order:

Technology Overview: This covers the basics—what the technology or con-cept is all about and how it functions in a business environment.

How it Works: Without getting too technical, we try to describe the way in which the technology or concept works in practice.

Security Considerations:This is where we talk about the security problems caused by the technology or concept. In chapters that describe networking topics, we focus on security issues inherent in whatever’s being covered. In security topic chapters, we look at the limitations of the given security technology/concept and how they can be overcome.

Making the Connection: Here we tie concepts to other chapters in the book. In general, reading the connected chapters will improve your overall understanding of any particular security topic. In a few cases, making the connection is critical to completely understanding the chapter at hand.

Best Practices: We’ve collected some tips and suggestions based on our expe-rience and the expeexpe-rience of others in the security field. These are techniques that can improve the effectiveness of a security technology or prevent failures.

Final Thoughts: This is where we summarize key issues or mention anything that didn’t fit in one of the other sections. If we’ve got nothing else to say, we might just blab for a few paragraphs to fill up space.

Why We Wrote this Book

This book was written to provide a general business audience with the knowledge they will need to properly integrate security into their company. The concept is

Introduction xix

(23)

based on our vision that in the years to come, business will no longer be able to afford to be reactive about security. We firmly believe that information security will become a fundamental part of all business infrastructures. Organizations of all shapes and sizes will reorganize, plan and spend a lot of money to properly protect and defend the core of their business: information.

We don’t believe there’s anything like this book in the realm of information se-curity. What does exist tends to fall into a few basic categories:

Trade Media: There are hundreds of magazines and journals that rant and rave over the latest in network and security technologies. These sources are a great way to stay informed. However, many of these articles skirt the line between paid adver-tisements and devout worship. It’s very difficult to get an honest picture of a partic-ular technology from these sources alone.

Books for “Simple” Needs: These books are designed to give people who lack technical backgrounds an understanding of isolated security concepts. They can of-ten provide the average user with simple solutions for their needs, but won’t provide managers with enough information to feel confident about their choices.

Hacker Books: On the other end of the spectrum are security books for system administrators and hackers. Frequently written by an infamous hacker or security expert, these titles focus on specific “hands-on” security for Unix and Windows ma-chines. They also discuss methods in which to break into these mama-chines. These books are usually full of riveting inside jokes like:

%

\(-(-: Command not found.

Technical Documentation: Concerned about wireless security? Why not just read the original specifications for your wireless system and analyze it yourself? Or, grab a whitepaper and a cup of coffee and solve your dataflow problems. This in-cludes the many excellent books on particular technologies, such as TCP/IP Illustrated (a book that we’ve read cover to cover many times).

After years of looking closely at these options we realized something was miss-ing: a comprehensive reference guide written for intelligent business people. This is a book that provides the reader enough information in a few pages to make business-level decisions. A compilation that relates security concepts and technologies based on the way they’re used in real life—not based on technological similarities or ideals. In other words, a practical guide to information security.

So here it is… we hope you find it useful. If you like it (or don’t) please let us know how we can make the book better by sending feedback to: nsibook@sage secure.com

Jay Albanese Wes Sonnenreich xx Contents

(24)

Acknowledgments

This project began as a dream of ours, to write a book that clearly bridges the gap between the worlds of technology and business. We don’t know if we’ve actually done that, but we couldn’t have even tried without the help of many individuals. Thank you to everyone who gave his or her time, thoughts, support and encourage-ment during the long and grueling process of making our dream a reality.

Neil Burstein for representing us, guiding us, reviewing our material and be-coming part of our team.

Robert Altman for encouraging our idea and providing invaluable feedback that gave us the confidence to put the initial proposal together.

Robert O’Brien for reviewing our work and feeling strongly enough about it to attach his name to the cover.

Ola Peterson and Tom Fogerty for their review and input of many critical busi-ness sections of this book.

Kenny and Michael Faltischek for reviewing specific portions of this book, and for their ongoing advice, guidance, and friendship.

Tom and Caroline Yates for their thorough review of the technical accuracies of many of the chapters, and more importantly for being great friends over the years.

James Deverell for giving thorough comments and criticisms (and helping us to design the 1-page summary at the beginning of each part). He visited us in NY expecting to have a fun weekend on the town, and instead we handed him 100 pages and a red pen.

A special thank you to the entire XPLANE team including David Grey, Bill Keaggy, and Judd Knight who gave this book character, personality, and a fighting chance on the bookstore shelves. We admire their professionalism and dedication and thank them for doing an outstanding job.

To our editors, Marjorie Spencer for believing in our idea and making it a reality, and especially to Judy Bass for keeping the torch lit during the downpours we en-dured, guiding us to a successful conclusion and putting up with our constant needs and detail oriented obsessing. Also, a special thank you to Cary Sullivan, for opening the doors to McGraw-Hill and for being a friend during some crazy times.

Beth Brown and her team at MacAllister, for putting in heroic effort at the 11th hour by stomping out copy issues, getting us the layout we envisioned, and enduring many extra rounds of obsessive tweaking.

00_200423_FM_Sonnenreich 9/3/03 1:17 PM Page xxi

(25)

Linda Orton for all of the feedback, ideas for marketing and sushi dinners. Her friendship and support was a key factor in our success and in our desire to form SageSecure.

Bruce Stout, whose Rainmaker’s Forum proved invaluable in connecting us with people that have helped shape our book and our business. These people include Charles Jones, Gary Osland and Jack Gold.

Rochelle and Randy Blaustein once again provided much appreciated support and feedback during the planning and writing process. Without Rochelle’s initial faith years ago, this and Wes’s other books would never have been written.

Brendan Hammond for his friendship, hospitality in Perth, and highly enjoyable discussions on business, ethics and life. Particularly relevant to this book were the unforgettable experiences at Argyle Diamonds, which has a unique need for both physical and information security. Furthermore, for introducing us to Lionel Louw and Kevin Russell, whose thoughts and ideas about management consulting gave us additional confidence in our own approach.

Jess, Eggy, EK and Mike (161) for listening to Jay’s ideas and reviewing portions of the book, all while pretending to enjoy the topic at hand. Daryl Klein for listening to Jay rant about the process of writing a book on more than one occasion. Without great friends like you it would have been impossible to remain sane and focused throughout this project. Likewise, Wes owes a big thanks to his friends who had to endure a year of whining about the pain and agony of the writing process. Lisa Braun and Sabrina Walton deserve a special mention (along with those who have already been recognized), since they not only listened to the endless complaints, but actu-ally read chapters and gave extremely valuable feedback on our approach to writing. The writing process even led to making new friends: Young, Jeff and the crew at Kudo Beans contributed a steady supply of high quality caffeine, a comfortable writ-ing environment, and fun times when the writer’s block made work impossible.

Rory, because of his concern for our success and for being there to make us laugh when it was very much needed.

Jason would like to particularly acknowledge James and Terry Albanese for their unending encouragement, love and support from the time when he was focused on building Lego cities instead of companies. It is only with their faith that Jason has been able to chase down his dreams.

And finally, a great big thank you to our beds, which will be supporting us tonight when we pass out from a year’s worth of accumulated exhaustion.

xxii Acknowledgments

(26)

I

Managing Security

Summary

Information security is a business issue that needs to be managed effectively. Good security management can provide consistent protection from compromised data and downtime. Although complete security is impossible to achieve, too little security can cost a company dearly. The appropriate amount of security is unique to every organization. The following chapters explore some of the methods and tools used to manage security.

Key Points

• Information security is a business problem, not a technology problem.

• Total security is impossible. A trade-off has always existed between security and usability.

• Some amount of security is possible, but this can only be achieved after an

organization identifies its security philosophy and integrates that philosophy into its business processes.

• Security policies are used to integrate a security philosophy with business processes. They should be driven by the needs of the business, not the needs of the technology.

Connecting the Chapters

When developing a security philosophy, a security assessment can provide necessary infor-mation on how business processes use network technology. It also identifies critical points of security within the business.

Once a philosophy has been established and security policies have been developed, sy s-tems and network monitoringtools provide feedback. This feedback can be used to refine policies and the overall philosophy.

• Chapter 1, “The Security Assessment,”gauges the risks facing a network and uses the analysis to select and evaluate potential solutions.

• Chapter 2, “System and Network Monitoring,”describes tools to enable centralized control and analysis of network systems.

01_PT01_Sonnenreich 9/3/03 2:42 PM Page 1

(27)

Introduction to Managing Security

Information security has little to do with technology; it’s a business problem. If a business needs security, it needs to build security into its very core—its mission and vision. It can be thought of as the fabric an organization’s vision is embroidered upon. Ideally, security should be integrated into a business when it is first created or when-ever the mission is refined.

Incorporating security into an organization’s vision is an executive role that can’t be delegated. The core focus and mission of the busi-ness must be evaluated in the broad-est manner. One way to start this process is to ask, “What makes our customers/investors/partners believe in us?” Look at how confidence is created and then think about how that confidence could be destroyed. What disasters, either natural or man-made, could ruin the business overnight?

Of course, for most of us it’s too late to get security in at the start, and significant changes to an organi-zation’s vision don’t occur all that of-ten. Instead, we’re stuck retrofitting security into an already mature busi-ness model. That makes things a lit-tle more difficult, but by no means impossible.

Security and

Business Processes

Whether it’s to improve efficiency, cut costs, or prepare for future changes, at some point every business process gets reevaluated. This is the best time to factor in se-curity. With just a little more effort, you can apply your company’s security philoso-phy to every aspect of the process.

As you evaluate your business processes, it’s important to avoid falling into the trap of treating network security as a “separate” issue. Your network provides infor-mation and inforinfor-mation services, which are used in larger business processes. What are those processes? Which ones are critical to the business? How can these processes fail? Generally, you’ll find the network is just one of many factors that can lead to a business process failure. Your strategy must go beyond the individual

fac-2 Network Security Illustrated

Visions of Security

The purpose of a vision is to set expec-tations and goals. Security adds confi-dence to the vision. Look at one of the biggest companies on the planet: Coca-Cola. In many parts of the world, it’s the only beverage a tourist may feel com-pletely safe drinking. It’s not even a question in most people’s minds; it’s just a fact, and it isn’t that way by chance. Part of Coca-Cola’s core vision is to ensure that their beverage is al-ways safe to drink everywhere. The same goes for McDonald’s food. It is un-likely you'll get sick from a McDonald’s burger in any part of the world. Finally, have you ever felt in the least bit threatened at a Disney park (phobia for giant helium-voiced rodents aside), even though no visible security is present?

(28)

Part I Managing Security 3

Part I Managing

Security

tors, protecting each process as a whole.

Breaking down Business

Processes

The most important aspect of any business process is people (or ro-bots, if you work for Honda, Sony, or Matsushita). People need access to resources and information. They need to communicate with others. They need tools to help them oper-ate efficiently. They need support when things go wrong. They need to be monitored, but they also need some privacy.

Every one of these needs fac-tors into your business process. These needs also have direct secu-rity implications. Here are a few questions to think about as you look at the human resource components of your business process. After each question, the related security con-cepts, technologies, and the parts that cover them are listed.

• How will you control usage of critical resources without hampering the efficiency of the people who need those resources to do their work? (Part 4, “Determining Identity”)

• How can you monitor the productivity and compliance

of your employees while protecting their privacy? (Part 1, “Managing Security,” and Part 5, “Preserving Privacy”)

• How will people access/exchange information? (Part 10, “Accessing Information”)

• What happens when the tools needed pose direct threats to the security of the business process? (Part 12, “Detecting Intrusions”)

• What happens when people need technical support? (Part 2, “Outsourcing Options”)

The Business Needs Should

Dictate the Nature of Security

As a rule of thumb, business proce-dures should never be overhauled to satisfy security needs. A common mis-take is to pick a security solution and then force related business processes to adapt. Unfortunately, doing this can seriously disrupt these business processes. Eventually, the processes may fail, or people might circumvent the security in order to get their job done.

If you can’t make the existing pro-cess secure enough, the problem esca-lates back to the executive level. Somebody has to decide to reengineer the process. Even then, the new pro-cess must be primarily driven by the needs of the business, even if it ulti-mately means compromising security.

Obviously, the ideal situation is to factor in security from the start. If you happen to be reevaluating a business process that had sensible security con-siderations built-in from the beginning, you’re incredibly lucky. Buy some lot-tery tickets and send us a few. In the meanwhile, we’ll be teaching the rest of the world how to shoehorn some secu-rity into their existing processes.

(29)

Information is a critical part of any business process. It’s an initial ingredient, an intermediate component, and part of, if not the entire, final product. As you look at your processes, look at the flow of information throughout the process and think about the following questions:

• Does critical information reside in a secure environment? (Part 8, “Storing Information”)

• Do you need to control and protect the information as it moves throughout your organization? (Part 6, “Connecting Networks,” Part 7, “Hardening Networks,” and Part 9, “Hiding Information”)

• Does the information need to be controlled once it travels outside the company? (Part 3, “Reserving Rights”)

• What happens if people can’t get the information? (Part 11, “Ensuring Availability”)

• How will you know if information has been maliciously altered? (Part 12) • What will you do if the information is damaged or destroyed? (Part 11) • Does the information need to be encrypted and/or authenticated? (Part 9) The process of collecting the data to answer these questions is called a security assessment. The assessment forces you to acknowledge and address all the critical security issues associated with your business. When a security assessment is com-plete, you will be left with all the information and analysis needed to formulate your security policies. We will go into much more detail in the next section of the chapter, which specifically covers security assessments.

The Harsh Truth

The concept of complete security is an illusion. It’s impossible to make something to-tally secure and usable at the same time. You can build a room with only one door and put all the security in the world around it, but in order to get in the room, the door needs to open. Once that door is open, an intruder has an opportunity to get in-side. Every technology thrown at the problem is limited by the reality that some form of access must be granted to legitimate users.

Security technologies and systems attempt to anticipate how an intruder might come through the open door. This sounds like a reasonable approach, but it ulti-mately fails because the systems themselves are fallible. Machines can only do what they’ve been programmed to do. People can be tricked and make mistakes. Intruders exploit these facts to get around the best and most elaborate security systems.

Managing Perception

If security is an illusion, managing security is about managing the perceptions of your observers. Some of these observers are the attackers you’re protecting yourself against. For many of these attackers, you’re not a specific target; you just happen to be in their line of sight. Think of a mugger. He doesn’t specifically want yourmoney;

4 Network Security Illustrated

(30)

anybody’s money will do. As callous as it sounds, you want the attackers to look at someone else who appears more vulnerable.

The best way to get passed over is to make the attacker think that you’re more trouble than it’s worth. This is the tacit principle behind every form of practical self-defense; learning the techniques gives you confidence, which deters potential at-tackers. After all, even criminals don’t want to get hurt. They’ll just wait until someone defenseless comes along. Likewise, having a strong-looking security system is often enough to make hackers and other criminals pass over your network in search of easier prey.

But don’t kid yourself. The criminals aren’t actually afraid of you; they’re just do-ing a perverse cost-benefit analysis. Your traindo-ing or expensive security system is no match for street smarts in a real brawl. You certainly don’t want to brag or otherwise encourage a challenge.

What does it take to encourage attention? Oracle did a good job with their “Unbreakable” campaign, which offered a reward to anyone who could find a hole in their database software. The marketing slogan alone was enough to attract the at-tention of vigilante hackers; the reward simply pushed it over the top. Let’s just say it didn’t take long before shattered

code littered the ground of Redwood Shores.1_{Other companies, including}

Microsoft and a number of security vendors, have issued similar chal-lenges with similar results.

If you keep a low profile, you’ll improve your chances of being ignored. Although companies like Microsoft and Oracle can get away with baited remarks, you don’t want that sort of attention drawn to you or your organization. So don’t walk around the Internet with your tae kwan do black belt tied around your waist.

Unfortunately, keeping a low profile isn’t enough. Sooner or later, you’re going to have a problem. The key is to manage the riskahead of time. Many industries have their own regulatory bodies that offer

Security

Perception Versus Reality

Our expectations, formed by our expe-riences in life, predispose us to certain notions of security. For example, a door guarded by a heavily-armed person is seen as more secure than one that has just a lock. This perception has nothing to do with reality. For example, the heavily-armed person might be easily bribed or led away from his or her post. Or maybe a window is open around the corner where the guard can’t see it. In reality, an unguarded but locked door might present a greater challenge to an intruder, yet most observers will say an armed guard makes the door more secure.

1_{It could be argued that this was actually an intelligent ploy on Oracle’s part. By offering a reward, they}

got thousands of hackers around the world to discover and notify them about flaws they otherwise would not have found. They used psychological judo, manipulating their adversaries into using their strength against themselves. Within a short time, they were able to clean up the “low-hanging fruit,” making their system significantly more secure.

(31)

guidelines or dictate requirements for security. Part of the risk-management process involves becoming compliant with the accepted security practices within the industry.

Some industries are behind the eight ball when it comes to security. Their regu-lations and recommendations are either outdated or flawed in principle. The result is that achieving compliance might actually weaken an organization’s “real” security. To the astute security manager, this means that security needs to be dealt with on the political level as a business risk management issue, as opposed to a technologi-cal one. Ironitechnologi-cally, these managers are likely to have the most successful security policies. Why? Because by accepting that the technology battle is a lost cause, they focus on the thing that matters most: perception.

The Security Philosophy

The expectations and goals created by an organization need to be supported by a compatible philosophy toward security. This philosophy is the way an organization approaches the topic and concepts of security. The philosophy establishes and de-fines a stance on security that dictates the operational parameters throughout the organization. It’s easier to create a successful security philosophy if some flexibility exists within the vision.

The ideal time to work on developing a security philosophy is during a business-level reorganization. Is the business moving in the next year? Is the business laying off a percentage of employees, or are many new people joining the firm? Is manage-ment unhappy with business flow and thinking about revising the general process? These are drivers of organizational change. Make sure that security is part of the change process.

The Disaster Spectrum

Philosophy

Basically, two types of disasters can befall information and information services. The first is the destruction or corruption of data and denial of service. The second is unauthorized access of data and service. As bad as both are, one is often preferable over the other. Which one? It de-pends on the nature of the organiza-tion with the bad luck.

It turns out that service firms are most sensitive to data or service destruction and corruption. These are companies such as medical, legal, and accounting firms. Data destruction means downtime, which directly impacts revenue. Law firms can lose tens of thousands of dollars in potential billable hours if their networks go down

The Security Cycle

A philosophy leads to policies, which lead to procedures, which lead to en-forcement, which can be monitored and analyzed to provide feedback that can be used to adjust the original phi-losophy and policies.

(32)

for a short while. Doctors might not be able to access patient records, which could cost a life.

For these organizations, information theft isn’t as big of an issue. This doesn’t mean that it’s irrelevant; it means that if they had to choose, they’d protect against data loss and destruction first. Their security philosophy for information is keep it available.

Likewise, companies with a heavy investment in intellectual property (R&D) are often much more concerned with information theft. Plenty of prototypes and blue-prints are lying around, so destroying data wouldn’t be a major setback (and didn’t the fusion group accidentally blow up the server room last week anyhow?) But if the competitors get early wind of the latest breakthrough, the entire product line might become worthless. Here the security philosophy is to focus on secrecy and privacy. Then there’s the half and half organizations. Here’s where information technol-ogy(IT) companies (product/service firms) usually end up. These companies are equally miserable whether data is destroyed or stolen. If you’re lucky enough to be reading this book at the start of a new company, do whatever you can to avoid this pit of despair. Either end of the spectrum is easier to secure than the middle. The se-curity philosophy for the middle is to avoid getting burnt or cut by the flaming knives you’re juggling. If you’re already stuck here, at least you’re in good company.

Security

Accounting

Law Firms

Firms

IT Products and Services

Marketing

Media and PR Research

and Design I

n t e l l i g e n c Security can provide protection from two

extreme scenarios, theft of data and destruction of data. Some organizations are not concerned about theft, but worry about the destruction side of the spectrum. Other organizations need to protect their intellectual property and want to avoid data theft at all costs. Many organizations end up somewhere in the middle, defending against both.

The Disaster Spectrum

Illustration by

■Figure I-1

(33)

The Security Policy

Your security philosophy will have to be interpreted for each business process. These interpretations are known as security policies. Some organizations have just one general policy; others have specific policies for each department. Some policies become legal contracts that bind employees, such as compliance and nondisclosure agreements. Others are more technical, prohibiting or authorizing the use of various services such as telephones, computers, and other company resources. Regardless of the presentation, a security policy is just a process-level application of the secu-rity philosophy.

Security policies are powerful, because they can both positively and negatively impact your organization’s culture and morale. Security policies can even be used as a tool to change organizational behavior, but security should never be the rationale, or driving force, behind business model or culture changes. What happens far too of-ten is that a security approach is chosen and the business model is altered to fit the approach. This is a recipe for disaster.

A successfully implemented security policy will support your business processes while providing necessary protection. It’s even possible for a well-planned set of poli-cies to significantly enhance your business culture. However, a policy not in line with your business model can erode morale or prevent work from getting accomplished.

Security policies have organizational and technical components. The organiza-tional part of a policy creates rules for employees to follow, often taking the form of a legal document or a set of procedures. Some examples of organizational policies include confidentiality/nondisclosure agreements and privacy policies. Procedures for handling sensitive information would also be considered organizational policies.

The technical component of a security policy enforces the organizational rules. Hardware and software systems are used to control the flow of information. Many of the technologies described throughout this book can be used to implement technical security policies.

Not all security policies need technical components. Some rely solely on man-agement and legal procedures to ensure compliance, but many policies are best monitored and enforced with the help of technology. For example, the organizational component of a security policy might prohibit general access to the Internet. The corresponding technical policy would be implemented with software that actively blocks access to unauthorized Internet resources.

Many examples of both organizational and technical security policies are avail-able on the Internet. Some are fill-in-the-blank forms; others are samples from real companies. Working with an example policy is a great way to ensure your policy ad-dresses all the critical issues. But be careful—we do not recommend using any of these samples verbatim. Your security policies must be carefully tuned to the needs of your business.

Security policies are generally toothless on their own. They’re just rules on pa-per unless they’re enforced. Procedures and oversight roles can be used to enforce

(34)

legal and organizational policies, but we won’t get into the details here. This book deals with technology systems that enforce or manage technical security policies.

Common Types of Security Policies

Network technology is a broad field. Accordingly, many different types of security policies exist within this field, and this section briefly summarizes the following poli-cies that apply to most businesses:

• Acceptable use • Email

• Local and remote access • Assessment

Acceptable Use Policy

The Internet can be a helpful research tool as well as an extremely powerful marketing resource for your products or services. But unrestricted access to the Internet can lead to countless hours of total distractions for employees who misuse it.

An acceptable use policy dictates what users can and cannot do on your net-work. The policy allows and denies various common activities. For example, per-sonal browsing of the Web might be allowed, but certain types of sites might be denied. Activities that harm, or have the potential to harm, the business will also be denied in the policy.

Practicality prevents an acceptable use policy from explicitly handling every possible use of a network. Therefore, a good policy will state up front whether any other forms of network use are allowed or denied. This is truly a question of com-pany culture. Companies that trust their employees often leave the decision in the hands of the user. Those in sensitive industries may prohibit any activity other than those explicitly stated in the policy. This is the most secure stance, but it requires that the policy be very well thought-out.

Many different technologies can be used to enforce the acceptable use policy, in-cluding systems that limit outgoing access to designated Web sites. They can prevent access to sites and services such as Web-based email, news, instant messaging, and games.

A good acceptable use policy can have numerous benefits. If your company cul-ture is focused on efficiency, you can remove the temptation to waste time with per-sonal email and aimless Web browsing. Restricting Internet usage also can minimize exposure to viruses and hackers that target corporate users.

A downside exists though. Overly restricting access to resources can negatively affect company morale. You do not want to gain productivity or security at the cost of treating your employees like children. If you need prohibitively high levels of

(35)

security on the network, you might want to consider providing a separate, easily monitored system for unrestricted online access.2

Email Policy

Email has become an indispensable form of communication. Day in and day out, most companies rely on email to do business. Unfortunately, email is also extremely insecure. It’s an open channel through which any type of information can enter or leave your network. Uncontrolled email undermines all your network security systems.

Although absolutely necessary, email control is always a sensitive topic for a company. People tend to take their email access very personally. It’s difficult to take away or restrict email access without seriously harming company morale.

Creating an email policy requires some thought. Figuring out a strategy that sat-isfies your business model and your security needs while keeping your employees happy isn’t easy. The following are some of the questions to consider:

• Should email from outside the company be allowed into your network? • Do you have the facilities to host your own email, or should you outsource it? • Do you want to permanently store all email or force deletion after a certain

amount of time? What does the law allow? • How will you prevent email viruses?

• Is secure email a general need, a limited need, or unnecessary?

• What should users do about personal email? Will you monitor their personal email use?

• Do users need off-site access to company email?

Many aspects of an email policy can be transparently enforced using technolog-ical solutions, but the best way to make email secure is by properly educating your users. Installing a few basic techniques, such as how to recognize a potentially harm-ful message, can be far more effective than most email security technologies. Thus, education and technology should be used together to create a successful policy that balances productivity and security.

Local and Remote Access Policies

Local and remote access policies specify how access to the systems on your network will be obtained. Local access policies cover authentication within the company’s network, whereas remote policies deal with connections and network-to-network connections.

2_{For example, placing a few full-access computers in high-traffic areas will allow employees to check}

personal email, stocks, and Web sites during short breaks. The location makes it easy to see if people are abusing the service and therefore discourages abuse in the first place.

(36)

For most networks, local access is controlled physically, involving simple things like guards and locks on doors, and by using more complicated techniques like pass-words. Often a user will need more than one password to access a variety of resources. The more passwords users have to supply, the more likely they’ll either choose bad ones or simply write them down somewhere. Neither situation is good for security.

A good password policy minimizes the number of passwords a user needs. It also ensures that users select good passwords that are easy to remember. The policy also must address situations such as lost passwords and changes. Will these passwords be centrally managed? Will biometric devices be used? These and similar questions de-termine a local access policy.

Remote access is another problem altogether. Allowing a machine that you don’t control to access your network is risky. In general, noremote access is the best pol-icy, but sometimes this isn’t possible. A good remote access policy ensures that the machine accessing your network does so in a secure manner. It limits the services available to remote users or requires the connecting machine to use a secure net-work connection.

Assessment Policy

A company must be able to see what’s happening on its network. Assessing the net-work allows the company to detect failures, trace intrusions, observe user activity, prevent abuse, and generally nose around for anomalies and red flags. Although a company has the right to look at anything it wants, its employees have a right to know that they’re being watched. Setting up an official assessment policy ensures that you’re appropriately communicating with your staff.

The trickiest part of designing an assessment policy is deciding how, and to what extent, employees are monitored. If you want to track employee network abuse, unscheduled assessments will have a direct impact. If you are looking to verify data and take inventory, a routine assessment may make life easier on the IT depart-ment’s busy annual schedule.

An audit policy makes the boundaries of personal privacy clear to everyone in the company. If employees know that someone could be watching at any moment, they won’t feel violated by an unexpected audit. A good audit policy will balance pri-vacy with security and peace of mind. It should allow the company to assess and ex-amine usage, while allowing the staff enough freedom to build a positive office culture.

Final Thoughts

Having a security philosophy is critical to a company’s long-term health. An organi-zation without a well-defined security philosophy will be severely disrupted when a disaster happens. Perhaps years may go by without a problem, but eventually some-thing will happen. Placing security at the heart of your business is a necessity.

(37)

“Planning is everything; plans are nothing.” Count von Moltke’s thoughts on planning should be kept in mind when considering security. Realize that policies and plans change frequently. The process of creating a security philosophy (or planning) builds the skills needed to rapidly adapt to a volatile environment. Von Moltke also was fond of saying, “No plan survives contact with the enemy.” Nothing could be more accurate when it comes to securing a network against hackers and other disasters.

Part of managing security risks is to stay on pace with, or slightly ahead of, the rest of your industry. Don’t be afraid to look at competitors or companies in similar industries. How are they addressing their security issues? No organization should want to be too far ahead of or too far behind the pack. Being too far ahead means playing the role of the guinea pig. Being too far behind means the competition has the edge.

Managing security is a skill, just like any other type of management. There really is no magic to the process. It takes time to learn, and a lot of trial and error is involved. Start simple: Incorporate security into the evaluation of a basic business process. Practice by looking at security issues specific to that process.

In the following chapters, we’ll look at how security assessments and network monitoring systems can help in designing, implementing, and enforcing security policies.

(38)

Chapter 1 Managing Security:

The Security Assessment

A security assessment gauges the risks facing a network and is used to select potential solutions.

Technology Overview

You can’t manage problems if you don’t know they exist, and you can’t manage suc-cessful execution if you don’t measure deliverables. A security assessment identifies a company’s technical and organizational security fallibilities. The goal of such an as-sessment is to gather information in order to create or revise security policies.

No “standard” security assessment exists. It’s a process that is custom-tailored to each organization. Templates, guides, and software tools are readily available to help conduct a security assessment for any organization, and consultants who spe-cialize in conducting security assessments can also be hired. However it is accom-plished, a security assessment will vary depending upon the security goals of the organization being analyzed.

Don’t confuse security assessments with security audits. In our opinion, these are two very different concepts. The term auditrefers to an established compliance procedure used to satisfy legal or regulatory obligations. An assessmentis an inter-nal initiative used to create a baseline picture of a network’s security, usually for the 02_200423_CH01_Sonnenreich 9/3/03 2:49 PM Page 13